A MoFo Privacy Minute Q&A: Protecting the Mind - Exploring Brain Privacy Law

This is “A MoFo Privacy Minute,” where we will answer the questions our clients are asking us in sixty seconds or less.

Question: Colorado recently amended its state privacy law to cover biological data and neural data. Both California and Minnesota are considering similar laws. I doubt my company is doing anything with biological data or neural data. What kinds of business activities would these new requirements apply to, and what are the requirements of the new law?

Answer: Surprisingly to some, there are already many varied business uses of biological data and neural data within different industries, and they are not only medical uses. Headbands, helmets, and ear buds are on the market that detect electrical activity from the brain, using electroencephalogram (EEG) and electromyography (EMG) tests, and use the data for a variety of purposes. fMRI scans can show which areas of your brain are most active. These brain activities have the potential to reveal a lot about a person, such as their truthfulness, personal feelings, political leanings, propensity to spend money, sexual orientation, and risk tolerance. In addition to the many promising medical uses of this technology, such as predicting epileptic seizures and treating paralysis or ALS, other uses of brain data are either available now or are in the research and development stage:

• Brain-computer interfaces to enable users of computing and gaming devices to operate devices with their brains instead of their hands and fingers;
• Rail, mining, trucking, aviation, factory, and construction companies can use brain data to detect when a driver or worker is getting drowsy or inattentive;
• Use of brain data to uniquely identify an individual;
• Use of brain data to detect truthfulness and lying;
• Advertisers may be able to use it to detect what a person likes and dislikes, and, possibly in the future, what sales pitches would be effective on a person;
• Employers may be able to use it to track worker productivity;
• Educators may be able to use it to detect whether students are paying attention and engaged in learning;
• Mobile apps can use it for meditation coaching and to detect and treat stress, anxiety, and depression;
• Law enforcement can use it to gather evidence from a suspect’s brain for use in a criminal investigation.

The new Colorado law puts biological data and neural data into the Colorado Privacy Act’s definition of “sensitive personal information,” which means that businesses that handle this kind of information must:

• Post a privacy notice informing individuals about the business’s collection, use, retention, and disclosure of this information, including each purpose for which each category of personal information is used;
• Obtain clear, freely given, informed, specific, affirmative, unambiguous consent from an individual to collect and use such information, without the use of dark patterns;
• Refresh such consent every 24 months absent having interacted with the individual in the meantime, or provide a user-controlled interface for the consumer to manage their opt-out preferences at any time;
• Disclose the names of third parties to which the business sells this information;
• Delete or de-identify this information when it is no longer necessary for the purpose for which it was collected, and in any event when an individual has withdrawn consent for its use;
• Inform individuals of the purposes for which it uses this data, and only collect such information that is reasonably necessary to fulfill, or is compatible with, those purposes, absent additional consent;
• Afford individuals the right and ability to access, correct, and delete this information from the business’s possession or control, and to opt-out of the business selling this information or using it for targeted advertising or to make important automated decisions;
• Conduct data protection assessments on the collection, use, retention, and disclosure of this information;
• Not use this data for unlawful discrimination; and
• Take reasonable measures to secure this data.

The definition of “biological data” in the Colorado law is limited to information used or intended to be used for identification purposes. However, due to an ambiguity in the drafting, it is unclear whether that caveat also applies to neural data. Furthermore, the Colorado Privacy Act does not apply to employee or job candidate information, so these requirements do not apply in the employer-employee context.

California’s Senate Bill 1223, if enacted, would, like the Colorado law, make neural data “sensitive personal information” under the California Consumer Privacy Act (CCPA). The requirements would be roughly similar to some of the requirements under the Colorado law, except the California law would give individuals a limited right to opt-out of a business’s processing of this kind of information instead of requiring businesses to obtain their consent to do so. Unlike the Colorado law, California’s CCPA also applies to employee data, so if California enacts Senate Bill 1223 making neural data “sensitive personal information,” these requirements will protect California residents in their capacities as both consumers and employees.

As showcased above, brain data can be used in more ways than one would think, including for many ordinary business uses. In-house counsel should expect to hear more about these technologies from their clients in the coming years and should request that their clients share any anticipated use of brain data during the early stage of planning so that legal considerations can be taken into consideration.

For more information about neuro privacy, read Nita Farahany’s truly enlightening book, The Battle for Your Brain: Defending the Right to Think Freely in the Age of Neurotechnology, which provides examples of many of the use cases listed above.